Y2K bug and the consumer. Final report

(1)

(2)

REPORT PREPARED BY

BERLIOZ&C

0

FOR THE

EUROPEAN COMMISSION

Directorate General XXIV

Consumer Policy and Consumer Health Protection

INCLUDES OPINION OF CONSUMER COMMITTEE

PREPARED BY

Georges

BERLIOZ

with the assistance of

Caroline GRA VISSE

and of

Thierry AMRAM Stephane COULAUX Peter TOTH

SEE TAB

Karina ARACHTINGI -SKAFF Maniam SUBRAMANIAM Paola LUGNANI

PERSONS IN CHARGE OF THE PROJECT

Michel

DURUPTY

with the assistance of

Marie-Helene ENDERLIN Terence CANA VAGGIO

European Commission Delegation

LE·j~··ary

?cu:n ;\,,

s~~er.:·t NV~!

:~0::~i·H~g"t~~=,·""dc

zoo37

I/.'

(','

(3)

g2000<Uu1tfw.~4~~~antfw.~.

li)fufe

dw.

~ ~ <m ~to~ (IIU', ~·

<Uu1

~

~~~.dw.~4tiw.~~t¥w.~~~

~-1tb~~~dtat~~cm&1&.~~~~

~. s~ ~~~tie

ena

«MMt

4

~ aru1 ~. fu, ~not

contmt

tie~4aru)-

g¥w,

~·~wAlf~<m~~.~w,Jf~&,dw_

~4~4~totie~2000.

gfu,

~ ~ ~ ~ ~ ~

4 tie

~. <14 oo!wa£ ~- gy<Yl-

du.!,

~ ~4tie~<Uu1~~m~,~<Uu1~~

alfawto+~~~· ~~~anatie~~-

gk

~~dw.~~· f.o.wNe~~. ~~(],~

~ ~

d

m ~ cao.e coot~

4

~- ffiu,~: it~ dud~

~din~ cao.e not&,~·

<Uu1

~ ~ ~ ~ tfu, ~·

tie~

wJf

~to~

m

~.~ana mWoo.-~,

w.Ui

~to~~~.1t~tfud

~

mk

~ana~~£,~ mto ~not

onft_t

~ ~

tut

k

~ ~- s~ tfu, ~ m-td:

mk

t¥w.

~

~ana~~-gfu,~~~4clf~~<l4~4a~~~-1t

am~ka~~· <Yl-4~~a~.

g¥u,.

~4tie.tie~oJ"~"m~

~tuiku..al:f~~~~~tiw.~oJtie~

~tie~. g~u..~ky~.~~. (~

~ana~.y~anafu,b.~~m~~~

~ana~. gfu,y~~£,~~£aw. ~

oJ~. ana~~4~au-~~totie &~ ~

(4)

fotn&~~-~

U:

~

duJ: U:

~ ~ ~ ~

4

dw, ~

tfuJ:

tfw,_

~wAll

~ tfw, nuUn. ~·

tfw,_

~ ~ ~·

3nJua, tfw,_

~

wJf

ca«M, ~

in tfw_ ~· tuUle, anJ ~ anJ ~ ~ ~

wJf

+x

nd ~ tfw_

~·0- ~ ~ anJ ~·

tu.t

kin

a.~~

aJ

CClM.O-~

~· 3nwme~tfw.~oJ~~~.

~k ~. ~~at .tL, end

4

tfw, ~

cluun,

k

~ .tL, ~

fa.wa.~~~nd~<m<UL~oJalf.tL_~oJ~ ~.~~~~~tfw_~~~~~ ~duw...

3ncaMaJ~~~~ta~,tL_~aJ~

~ ~~ ~ fuwe, ~ ~ ~ tfw,~ <m ~ ~ anJ

~ ~·

gfw_

~

aJ

~ a.ru1 ~in caM

aJ

fU}fl,-~

oJ

~ ~~y~. 3n~t-uUk, anJ~o.afe, ~

wJf~k~~·

gLfwa~~~~twt~

~~aJ~in tJw,_F~duun., &.xk~~ ~

~m<JM-fwa~·

~k~aJ~~~.

~

~ ~

con!wf.t.

3n tfw,

~ ~. tfw, ~(1M,

a£w

¥·

anJ ~

tootfw,_~4Y~~~~~<m~a.na ~~.

Wi!i~ta.~~tfw.~.

~~

in~~. «w~, ~~.~in~), ca,n,

Memk

~. tu!, in~·

_F.t:L,

~OIL~~ .tL, ~am

~ ~. Gl)~

aJ

~

wJf k

OfW-

4 tfw,_

~ ~' a.ru1 ~

~ m-ucl:

k

~ ~·

3n~~~~m.a.i.n~~~.U:i4~duJ:4~

~. ~a.~<MW-, can,~~~~a.t~~. al

~and~ a. tuwei .tL, ~

wJf k

~ ta tfw_ ~ ~

aJ

~

~·

gfw_~wJfk~¥<m~~. ~~~. &d

~ ~ ~ ~ nd

ta

k

~. ~ tfw_ domMw

4-ct

4 tfte

(5)

~~y~.ana~~w&&.~~·

~. t¥w,

y

~wAif nd ~.

m

~ ~. t¥w, ~ ~

4 tie

~.3~.~Y~w.JF~_rb-~~w&~~ ~anaF~4Y~~~~UM,~~

~

coufa

~ tfu, ~

4

tfu, ~ ~·

ffi~ tfu, ~

4 tie 15

~ ~~ ~ aA

.F

tie

~4~.~au!£_,~~~.tie ~~tftenu.a_F~~~k~~k~tie

~k. ~~mka.~oJ~. luwek~, &.~to~

<Uu1 <WOO) tfu, ~ ~

tfuu..

~ to~ 41A ~· ~n<kea,

tie

~oJ~awloJtfu,~_F~.m~~~~.~~ ~oJtfu._~.~~~to~~.a!~ ~.on~~~~~,in.~kalfo.w~to~ ~~~~~~~.

ffi~.~4~.F-~~w&~_FM~

~4~m~to~_F~k~t¥w_~~~

~1~!4Jnu.a&.~~4~·

~wa, ~ ~ ~ ~ ~ 2000, tfu, aim

4

~~~to~

tie

~4~todte~mdw,~~.

~to

(6)

the fear of the new millennium.

THE lVlil.,l.,F.NAR IAN

R

IS.K

AND

THE CONSUiv1ER

Problems for consumer computers and technological products

But especially the effect of problems resulting from softwares and

enterprise's computer systems, embedded computers and the domino effects of networks

Chain of disasters foreseeable Multitude of litigations

As the fateful date of 1st January 2000 draws near, the year 2000 bug problem is becoming more and more of an urgent event. The media coverage of the problem has a tendency to focus on the impact on enterprises. For a long-time they presented only the crossing of this date as important. However, the nightmare scenarios are beginning to show the potential impact on the consumers.

Between the doom scenarios and passivity, it would be prudent to prepare oneself not only for the adaptation, but also for the effects of the year 2000 computer transition.

MULTIPLE PROBLEMS

The problems will appear not only on 1st January 2000 and on the first working day, (that is on 3rd January 2000), but also on several critical dates.

The year 2000 bug may be considered by the consumer as something in the field area of computer and information technologies. Until the end of the 1990s the bug problem was treated particularly by the media as being too technical for the public at large. However, daily life and safety, and consumers' financial assets and interests are affected by the problems of transition to the year 2000.

For the moment, the year 2000 problem has remained relatively confined since we are still about 200 days from the critical date. Nevertheless, the problem has arisen in the context of computation of dates after 1st January 2000, that is the system jamming itself by interpreting it as another date, 1900, 1980 or 1990. The risks will be individual risks and also general public risks.

Y2K Bug <md the Consumer 14/08/99

9

(10)

A belated a•kening

... ~ In fact, the first millennium problems, which had to be resolved, were solved in the

~-:T":bt..~~,

1970s. In life insurance contracts of 25 years duration, financing contracts and real

~

/ ·

~J.

estate sureties for 25 years, the first problems appeared in 197 5.

~

//!\'··.·

_{\~, .}£~}

· \• ..

'·.··.·.:.:··~·.···.···

J

.•..•. :

....

~

The importance of the year 2000 bug problem was recognised in the second half of

'

the 1990s. The risks of malfunctioning of the computer systems arise not only ~:,.;., ··,..~ .. from hardware problems relating to computer clocks, but also from encoding of

i.' ~ microprocessors and software. Warning by the media

It is from 1995 that the media coverage of the problem in public expanded. To a large extent, the coverage focused on the risks for enterprises and in the computer sector.

The problems have recently multiplied when deposit and consignment office networks were jammed because of the problems arising from the use of credit cards with validity dates after 1999.

An important problem for enterprises was the scrapping of products with expiry dates after 1999, treated as if they were manufactured a century ago. The loss was thus borne by the manufacturer. After 1st January 2.000 the risks will be reversed.

After the sensitisation of large enterprises, only small and medium sized enterprises and consumers remain to be mobilised.

In the U.S.A., the calling up is made under the regis of the FTC and the CPSC (see consumer.gov; ftc.gov; y2knews.com; cpsc.gov).

Faced with a widely spread risk, whose consequences are considerable and overwhelming, it is important to avoid panic and passivity.

The consumer will be the direct victim as a buyer of the bug product, but also the indirect victim as customer of the bug victim enterprises or user of affected products or equipment.

He can by his vigilance and prudence minimise the risks. When risks materialise, he must be able to limit the consequences and exercise his right of actions.

10

EUROPEAN COMMISSION

(11)

An unspecified risk

Between doom and gloom and misinformation,

the turn of the millennium can be considered as a major danger for the consumer.

Some people raise the end of the world type scenario with titanic risks: mad weapons systems with a nuclear apocalypse, at the very least stationery trains and paralysed road transports, blocked financial transfers, diverted financial markets, jammed lifts, electricity failure, etc.

Others say that it is a misinformation practised by the manufacturers, editors and computer services providers. The reactions are thus from fatalism to catastrophes.

If the danger was illusory and maintained by the beneficiaries of the costs, the consumers will have been penalised by the excessive costs, which will be passed on the prices. If the danger was real they will be penalised by the disruptions caused.

On 15/16 January 1998, the CardiffEuropean Council meeting acknowledged the serious effects (on the computer systems and electronic equipment) that the year 2000 transition problems may create beyond borders. On 11/12 December 1998, the Vienna European Council meeting issued a report on "How the EU is tackling the year 2000 Computer". Similarly the conclusions of the Council of Europe in Cologne on 3d and 4th of June 1999 invited the Commission to gather high level experts able to present proposals with a view to adopting strategic decisions to protect the proper functioning of essential infrastructures. The Council has also invited the Commission to meet and to disclose to the public. on a world-wide scale information on preventive measures. At the same time, the impetus given by the European Union has been translated by the Commission into a report, (for the Council, the Parliament, the Economic and Social Committee and the Committee of Regions), on the preparation by infrastructures (energy, transport, water, security, nuclear, telecommunications, and finance) for the transition to the year 2000 within the European Union and its transmission on 2nd of June 1999.

In this regard, the difficulty of assessing risks, complexity of technical problem, and the necessary division of risks revealed in the first case law, show that the protection of consumers, as users, constitutes a particularly difficult subject. The problem is international, and will involve multiple litigation, with international proceedings with considerable discussions on conflict of laws, such as on the contents of the national law.

11

(12)

The globalisation and intemalisation of markets, techniques of production and tight distribution flow, migratory work and monetary and financial markets rest on the flow of information, the conclusion of market operations is done by computers. The liquidity of markets in financial matters, production flow in industrial matters, delivery systems in commercial matters etc. require proper technological functioning, the transmission of information without problems. The technological progress and ever growing importance of information systems make the economy and the functioning of social life particularly vulnerable. Even at the consumer level, the phenomenon grows with Internet which the consumer uses for services and electronic trade.

Due to the rapid development of computer capacities, the computer industry's analysis of developments may appear to it that the due dates of some years as being far away. The continuation of practices can be analysed either as a method, that has saved costs for the users (but only short term), or as a protection of margin.

Besides, we can question the responsibility of large consulting firms, which have not, in the interest of their customers, and the general

12

economy, argued for a rapid adaptation of software and hardware. It is true they profit handsomely from it, but a responsibility, at least a moral one, of obligation to advise does not seem to have been fully respected.

It is now acknowledged that the year 2000 compliance requires an adaptation or a modification of the systems, the extent of which is difficult to measure. The adaptation or modification has a high cost and In any event will not be completely ensured.

Enterprises have to ensure the compatibility of their functioning and that of the products or services offered by them. As regards the public, it depends largely, apart from cases of domestic use of computers, on enterprises and public authorities. This is not to say that the public be totally passive. It is all more necessary because the plans in the context of the year 2000 projects do not generally take into account the consumer dimension. The extent of the potential problem means that the control of risks will be uncertain. In principle and effectiveness, the compensation of damages risks being very high.

BERLIOZ& C0

Y2K Bug and the Consumer

14/08/99 EUROPEAN COMMISSION

(13)

1BEIIOU.IOF'IIllllm101REU.

The year 2000 bug is a technological risk from computer and information technologies whose origin is known, but whose consequences are not yet determined. The probability of significant consequences, whose causes may be very distant and result from a chain of phenomenon with a chain of damages, is unquestionably considerable.

THE MILLENARIAN BUG

The Year

2000 bug

is

the result of a dating

problem. The

dating

rule since the

beginning of the computer age has in fact

been

incorporated

into the design of

hardware, components and software.

l/01100

The year 2000 bug arises from the ambiguity of the date expressed: 1st day of the year 2.000 or first day of 1900.

The technical origin of this is the use of two digits in the encoding of data processing cards to indicate the year, following a DD/MM/YY rule (instead of DD/MM/YYYY). The data processing cards were used at the end of the 19th century for the 1890 American population census. The machines used were mechanical and allowed to do the sorting. It is with the generation of computers, (which, thanks to the appearance of the integrated circuits, ensured multiple functions), that the computer began to come into general use, first in the enterprises and then in the public. At that time, a memory of few thousand bytes was the norm, whereas now we speak of billions of bytes in computers sold to the general public.

In the 1960s when processed date-numbers were recorded according to two digits coding, nobody reacted to this anomaly. It was meant not to slow down the entry of information, avoid using memory capacities ineffectively and not slow down the processing. For components, as for personal computers, which had very little memory, the rule has been pursued and has even been used in the softwares.

The consequences of this, for hardwares, softwares or components using this rule, is that year 2000 will be interpreted as year 1900, which will cause a faulty functioning of all the programmes using a date.

The discontinuity of the New Years Eve of 31st December 1999, at the time of the transition to 1st January 2000, will be classed as a return to the past by the non-adapted computer systems. This problem will recur for 24H at the transition speed of different time zones.

14/08/99

13

EUROPEAN COMMISSION

(14)

The calendar errors arising out of the use of an erroneous century risks being completed by errors on the year 2000 calendar. As regards the numbering of the year in two digits, the year 2000 is likely to be interpreted as the year 1900, a non-leap year. All dates after 29th February 2000 will therefore be incorrect when a simple by pass has been used to remedy the year 2000 bug.

BUG

At the time of'~lamp computers''(:first computers), the insects gotstuck on. a lamp byJtullping on it

which caused:ia computer breakdown. Since then a "bug" means a computer· breakdown.

The bug affects not only computer sites but also embedded computers. The latter is present in most high technology equipment; it is at the heart of what is customary to qualify as information technology.

As the date is used to sort out, calculate calendar intervals or to compare dates, the bug leads either to jamming, or processing errors. The error in the database comprising the date will thus end up in an incorrect implementation of the technology based on this information.

LINKED PROBLEMS

Using the day of the 1st January of the century is a method used to set the first day ofthe week.

Program codes depending on the first day of the week will be affected by a century error, the 1st of January 2000 being a Saturday and the 1st January 1900 having been a Monday.

2000 is a leap year whereas 1900 was not. This is due to a set of complex rules according to which a year is considered to be a leap year if:

it can be divided by 4,

except if can be divided by 100 but not by 400.

This· rule has not always been applied, thus the problem of dates after the February 28th, 2000.

Certain data use a reference to the year 1900. 1999 is· thus represented as the year· 99 (after 1900). In this model of representation, the year 2001 will be considered as 101 (after 1900) and consequently as 19101, or after 2000, as20101.

14

(15)

Localisation

of the bug

The bug is localised

For computer systems In the hardware In the software For technological systems

In the microprocessors The bug spreads

through networks

Hardware

First of all, the bug stems from a hardware problem, but which is only the visible face of the problem.

In view of the two digits dating rule for the year, the standard RTC1 of PC microcomputers generally store only two digits of the year2• Furthermore, many chips only store two digits. Finally, computer systems can be linked to, or include, clocks with two digits only for the year.

The BIOS3 of the recent computers is programmed to transform the date from two into four digits and to correct the erroneous dates. The machine will thus give exact results, except if specific

application calls the computer clock directly.

It should be noted that most clocks continue to be two digits for the year, (as an important part of the microprocessors), the adaptation arising out of what one often qualifies as patches at software

level (including direct access to the clock for interceptor). The clock is in fact engraved m a component, the chipset which can only be corrected by the semi-conductor manufacturer.

Software

A good part of the year 2000 transition problems will come from software particularly packaged software.

The date is entered into 1nost softwares, whether they are computation, management file, documentary management, computer assisted manufacturing (CAM), computer aided page layout

(CAPL), etc.

1

Real Time Clock

2

It is not the case for Apple Mackintosh whose clock which provides temporal information is a meter for the number of

seconds lapsed since 1st January 1904. The operating system converts this number into date when a software requests it. 3

Basic input output system: the software which manages the fundemental functions of the PC and which is inscribed in the programmable chip

14/08/99

15

(16)

In many programming languages, the dates of reference are limited to six digits, two of which are for the year. It was an inherent aspect of the COBOL language4, which was much used in computing management so was the FORTRAN language5 in the industry. The two digit coding ins a problem for OPEN VMS, UNIX and C language.

Furthermore, to test certain date category fields, the programmers have in some software used 99 as the upper limit and 00 as the lower limit.

'•itiilli

W~!~!t!:o~n~d~~j~

~~

~~~~~JJ

10/10/200~ (first day whiichreo1lir1e~

Considering the processing chains and the composite multiple language application parks, the dating problem is likely to have chain effects.

Operating systems

The bug affects the operating systems which constitute the fundamental level of software.

The operating systems are affected to various degrees according to their age. As regards the operating systems, Windows 3.1 is not compatible, Windows 95 requires correction patch, and Windows 98 does not appear totally compatible. WinFile does not correctly indicate dates beyond 1999.

Applications. standard software packages

Many softwares sold to the public at large do not go beyond the year 2000. Furthermore, the transition to the year 2000 does not necessarily mean that there is no problem. Dates from the 20th century, particularly dates before 1980, cannot therefore be correctly processed. The dates 99, 9/99 and 9/9/99 and 99th day of 1999 are likely to affect the processing of files.

In standard software, the seriousness of the problem is underlined by the non-compatibility of the widely known software. Progressively, software editors develop and supply patches to users.

The nature of the problems and patches are available on the software editors' websites:

• for Microsoft see www.microsoft.com • for Lotus see www.lotus.com

In custom made software packages, compilation is not possible and the examination must carried out according to billions of instruction lines.

There are two ways to correct custom-made software: one is the extension consisting of placing the dates on four digits and the other is the windowing which allows to programme that any year digit

4

Common Business Oriented Language

5

Formula Transition

14/08/99

16

EUROPEAN COMMISSION

(17)

above 50 is a 20th century date and any digit below is of the following century. The second solution is of course less satisfactory and leaves the possibility of errors.

level (including direct access to the clock for interceptor). The clock is in fact engraved m a component, the chipset which can only be corrected by the semi-conductor manufacturer.

Microprocessors

The chips will be another important source of bugs.

the chips, unforeseeable and omnipresent nest of bugs

It is what one calls under the term of electronic. The computer processor components (embedded

components, black boxes) are integrated and consist of, in particular, what is commonly called

embedded computer. According to estimates, there are 5 billion embedded chips in the United States and 15 billion worldwide. It is estimated that between 2 to 5°/o of the chips are likely to have a year 2000 problem. This rate which may appear relatively low has on the other hand considerable potential consequences: if 2°/o of the chips cease to function, 100 million processors will be paralysed (without counting secondary effects).

The embedded systems are generally composed of a microprocessor and memory components. As the software part which controls this type of systems is written in low level language, it is difficult to examine.

They are particularly widespread in network management, and in maintenance, safety and control systems. Besides the difficulty of localising the circuits, the inter-connections between systems increase the proportions ten fold. The presence of a modem or an interface in a network with the bug is likely to deprive the effective functioning of the entire network. It is the case in the telephone cables and satellite systems. What is commonly called the information highway is regulated by computer systems, particularly by embedded computers.

The typical example of potential problem of another type of analogous dating is that of GPS with internal clocks in the satellite positioning systems which count weeks from 6 January 1980 until 1024, after which the counting restarts from 1st week. On 22nd August 1999, they will set themselves at zero hour. The receivers, which have more than 2 years can give incorrect positions, and if they are connected to other systems, lead to secondary effects.

17

EUROPEAN COMMISSION

(18)

The bug

symptoms

Disruption phenomenons

Any system using a malfunctioning clock, internal or external (for example by connecting to a pay machine providing two digits for the years), or receiving an information transmitted by a non-compatible means (such as non-non-compatible modem or interface), or processed by a software affected by the defect is going to have a failure. The dating itself, but also computation of intervals, sorting, and date comparisons are going to be distorted.

Jamming

The error as to the date can lead to jamming of the system to which data that it judges incoherent are supplied, or which will be rightly programmed to jam. The total jamming has the advantage of being immediately apparent, but it can have disastrous consequences if it jams the functioning of a control or security system (for example rupture of a cold chain, alarm system, a power station control system).

Malfunctioning

The date serves to classify, identify and compare. The year 2000 bug can lead to a dating processing error, which can lead to an erroneous analysis of the files.

Overflow

The computer stored date passes from 99 to 100. This can cause 00 in the memory zone, but a reservoir spreads to the adjoining memory segment. The machine ceases to function.

The data concerning the consumer can be wholly or partly destroyed, or processed incorrectly. This loss, or classification or processing errors will be detrimental where the files contain data that constitute rights (rights to benefits, etc.) or important information (files in doctor's clinic).

It is necessary to equate the bug as insertion of an erroneous calendar. Either it is an error made by a software based on two digits dating which will categorise 2000 as 1900 and will not take into account that it is a leap year by use of an erroneous century, or errors in the calendar programming by non-application of rules that wants a year divisible by 400 or a leap year. In the two cases, there will be errors in the year 2000 dates after 29 February. The danger of a calendar error is very deceptive and thus very difficult to deal with.

The consequence of malfunctioning can take place either at the data collection stage, or at their processing stage, or at the end of the transmission stage.

Affected systems

It is difficult to establish an exhaustive list of the types of systems which may be affected by the bug. All systems containing a processor, those driven by software and combination of systems, and even all systems which use any clock where the year is logged by using two digits only are affected.

All electronic programming systems are potentially affected in so far as they are more than weekly cycles. Automatons and machine tools, which allow the robotisation of production, are particularly affected, like those that take part in the information highway.

18

EUROPEAN COMMISSION

(19)

The control systems generally contain a clock recording the signalled problems. It is same for report editing systems, marking printers or maintenance systems equipped with internal clock. Labelling, quantity, manufacturing management systems, and all those which analyse or produce bar codes are affected.

Reaction

to

the

bug

Mobilisation of economic operators

Economic operators have been made aware and efforts are being made to mobilise enterprises. Enterprises are strongly encouraged to prepare themselves, to make tests, to modify their equipment

and to ensure that the enterprise, its products and

services will be year 2000 compliant.

The enterprise ·must

But it must also be prep:Jre i·~elfnotonly recognised that enterprises have internal risks, arising out of a~corc)ilniJQ internal

risks

the enterprise's equipment and systems, and also external butalso external risks~ risks, resulting from third parties

on which the enterprise is interdependent. The greatest

difficulty arises from inter-connected systems, and from world-wide level interactivity.

19

EUROPEAN COMMISSION

(20)

A

costly penny·pinching

Penny-pinching by computer experts:

a costly economy

Correcting the effects of the year 2000 bug will be costly and is a gigantic mess.

MACRO-ECONOMIC IMPACT OF THE BUG

The first consequence of the bug is the rising costs of replacing hardware and software and the setting up correction programmes.

Very often, the user will be forced into using the most recent version of

Windows, forcing a costly adoption that compels the purchase of more powerful computers. Users who have the old

versions, often kept because the most recent versions still have many bugs, are therefore forced into considerable expenses, without any functional utility other than to remedy the problems left

by the editors. These forced sales generally burden directly the user consumer and indirectly the consumers while considerably benefiting the software editors and consultants.

Furthermore, disruptions caused by the failure due to the bug have consequences whose considerable significance appears established, but in a manner which at the moment remains unforeseeable because they are based on problems which have not been localised whose effects are likely to spread in secondary chain manner.

THE BUG AND EFFECT OF CHAOS

It is particularly significant that the bug, (the term which comes from moths which settled on the lamps of first computers and by burning disrupted the functioning ofthe computer), brought out the moth effect of the chaos theory. Phenpmenon that may appear harmless, the bug can have chain effects, with multiplication of chain of consequences, which lead to considerable disruptions.

The consumer, enterprise's customer and end user in the economic chain may thus be heavily penalised.

14/08/99

20

EUROPEAN COMMISSION

(21)

DISRUPTIONS CAUSED BY THE BUG

The consumer law protects the

legitimate expectation of. the

consumer.

The computer is no more in the

limbo and the burden of bugs,

in particular year 2000 bugs,

cannot weigh on the consumer.

The modern economy is based on an expectation of the enterprises' operating dependability and on the consumer's trust in the quality and safety of the products. Besides, this legitimate expectation and trust characterise the consumer protection regulations. The mass production and distribution have given birth, after the dangers of mechanisation, to periods of industrial development and the establishment of a consumer law. The doctrine of caveat emptor (buyers beware) is replaced by various obligations to a consumer who can only be passive in many contractual relationships corresponding to the development of standard contracts and more generally adhesion contracts.

This expectation and trust risk are placed in danger by the year 2000 bug. The dependability, basis of consumption, is disrupted by the same technology.

The consumer, as user of products and services, will be affected by the problems caused to the enterprises by the bug. The bug is likely to compromise the continuity of the enterprise's operations, its survival in case the computing means fail or become inoperable. It is likely to call into question the continuity of the most essential public services.

Disruptions among economic operators

The bug is capable of affecting the management systems, production equipment, control systems like delivery, private and public telecommunication systems and networks, and computer data exchange systems. All economic functions are thus affected.

Internal risk

Operators are threatened by risks from internal sources directly affecting the functioning of the operator, enterprise, local authorities or administration. It affects production activities (manufacturing chains, machine tools, automatons, production control), commercial activities (telephone switchboards, management of orders, invmcmg, delivery), administrative or management services (accounting, wages). The generation of erroneous purchase orders, inaccurate transfer orders, are examples of problems that can cause the bankruptcy of enterprises.

Domino effect

External risks are those that come from business partners, suppliers, customers and generally all those on whom the operator relies. Services are among the source of considerable risks, in particular those managing networks or those depending on them, like the telecommunications, payment systems, supply of essential services systems (energy, water, etc.).

21

EUROPEAN COMMISSION

(22)

It should be noted that two enterprises that are ready, but with a different correction system (pivotal year, changing century, etc.) can provoke a conflicting situation making everything incompatible with the year 2.000 transition.

Affected sectors

The affected operators are in all the sectors. It is not possible to draw up an exhaustive list of those which are the most vulnerable, but it includes in particular energy, telecommunications, transport, oil and raw materials, food, equipment and chemicals, defence industry, computer and technology industry, car industry, building industry, publishing and television industry, banking and finance industry.

It is not only the commercial sectors, but also the simple market economy. The logistic problems will affect particularly the control and management systems in the smart buildings (alarm, access control, air conditioning, lifts). They will affect all public services.

Products and services

The bug will affect the quality and functioning of the products used by the consumers, in particular products that contain technological systems such as cars, boats, electronic equipment etc. Besides, (by disrupting production, control, delivery, invoicing systems and generally all the functions relating to production), the malfunctioning affects the products that have no direct link to the computer, from food products to medicines.

It is the same for the user of services disrupted by the bug. Some sectors are considered as particularly vulnerable. The financial sector is affected, for banks the problem is ensuring the reliability of operations, mainly payments. It is a sector where technological developments are generally well assured and where investments and preparation efforts are probably up to date. Furthermore, the greatest possibility of systematic risks exist in the electricity networks, emergency and health services or agribusiness industry.

The non-commercial services will also be affected. The authorities are lagging behind. The American Inland Revenue Service thinks that its application software will not function. The national identification systems are not necessarily year 2000 compliant, for example the French system (where year of birth is coded with two digits) is not year 2000 compliant.

22

EUROPEAN COMMISSION

(23)

...

BUG CORRECTION TECHNIQUES

When the bug is the result of a two digit coding, the correction can be made by:

Upgrading the date from two to four digits. This solution is the most durable but is the very expensive as it implies the correction of a considerable number of files and databases,

Using a pivotal date. Corrections are thus algorithmic, i.e. using 1950 as a pivotal date: Every date between 00 and 50 will be considered as being between 2000 et 2049, Every date between 50 and 99 will be considered as being between 1950 et 1999.

It is clear that algorithmic corrections leave place to several sources of errors. Furthermore, two systems made Year 2000 compliant, by the means of different methods, if once interconnected, will globally not be compatible.

23

EUROPEAN COMMISSION

(24)

H

. . . . of the ...

PREPARATION OF ECONOMIC OPERATORS

Private and public operators are encouraged to make preparation plans with procedures for identifying risks, tests, and preventive processing. The consumer must not only be informed, honestly and with care, of the risks, but also of the measures he must take for his own protection. In the interest of the consumers, enterprises must be aided and strongly encouraged to make these preparations.

Managers of companies, like controlling shareholders, must be made aware that insufficient preparation would likely be considered as a management error, making the directors and de facto

and de jure managers liable in case of judicial rehabilitation proceedings of companies. It would be the same if the state of preparation were too optimistic.

Enterprises' preparation plans

Preparation constitutes a financial burden for enterprises. In the United States, a loan guarantee system for SMEs has been set up. In France, tax measures have been taken to allow the provision of costs.

The verification must not only be on the computer systems but also on all equipment containing microprocessors. The enterprise, often a layman as to computer systems, is all the more a layman when it concerns microprocessors which can be incorporated into technological equipment, electronic equipment and programming software used by it.

The important aspect, for the consumer, is the supply of information to customers, which are not a promotional effort aimed at artificially assuring them. Information on product risks and problems that may affect services must be candid and prudent.

Enterprises' safety plans

Consumers will not be protected if enterprises do not protect themselves against external risks with adequate safety plans. In view of the uncertainty of certain risks, safety plans must be adopted to secure functions that are important to consumers. The possibility of power cuts is forcing vulnerable enterprises to equip themselves with generators to avoid disruptions.

That is why banks are equipping their trading rooms with independent generators and air conditioners. Such a step must be expanded on pain of incurring liability. Back up systems by parallel computer equipment and independent energy supply must be put in place.

It is clear that such safety plans will be less frequent in SMEs.

Consumers' preparation plans

Regarding consumers, it is a question of making them aware without dramatising the situation.

Consumers must be infonned of the risks, their obligation of vigilance, measures to take and legal actions open to them in case of malfunctioning resulting from the transition to the year 2000.

Campaigns must be carried for consumers by television, newspapers and booklets to make them aware of the year 2000 difficulties.

24

EUROPEAN COMMISSION

(25)

Absence of zero risk and management of risks

As the bug is omnipresent, affecting all programmes, and present in automatons, electronic equipment, and security systems, and as the enterprises are interdependent and open to the world, they are at the mercy of their partners. It is recognised that it is impossible to reach "zero bug'' First of all it is impossible to detect all the potential problems and, for reasons of costs and rapidity of processing, the two digits dating continues to be largely used by the

computer industry. Many compliant techniques, like the floating century, do not eliminate the risks, but merely reduces them.

Enterprises are thus advised to manage risks that disrupt their activity to the point of putting them in peril, and then to manage them by striving to maintain the risks below the level. Strong incentives for the preparation may have been taken by the insurance companies. In France, where an increase of 50,000 damages is expected during the year 2000, insurance companies have implemented measures having as a result the taking of adaptation measures as a "sine qua non" condition

covering the damage. In fact, a technical "year 2000 co-ordination" platform was implemented between the companies. This platform is supposed to contribute the experts' assistance to insurance companies. Their role will be purely technical. At the same time they should ascertain and explain

the causes of the damages linked directly or indirectly to the year 2000 and to list adaptation and

protection measures for the year 2000 that the concerned enterprises would have taken. This co-ordinating platform combines itself with the signature by the near total of the companies of a single

claims adjustment agreement. This agreement provides for, in case of doubt relating to the "year

2000" origin of a damage and on request of the companies' experts concerned, that the companies

should resort to the platform in order that only one year 2000 expert per damage is designated, charged with drafting a purely descriptive technical report . This report will have authority to be commonly accepted by the companies concerned by the damage.

This is the only initiative of this type in a Member State.

Widely circulated, this type of initiative - and related information - would incontestably have an impact on enterprises in terms of encouraging them to the preparation and prevention and could thus belong to the preventive and anticipation measures. However, in this regard, it is important to point out that various French courts, in justifying the absence of a compulsory insurance system for computer professionals, have approved the position of insurance companies which exclude the risk of covering the year 2000 risk relating to professionals. There is no compulsory insurance system

for computer risks concerning disparate enterprises. From that moment on, the anticipation of the

extension of the position of the courts to all enterprises could jeopardise any encouragement of preparation efforts.

Considering the cumulative effect of the chain processings and of the networks, the probability of problems arising out of residual risks is therefore considerable. The consumer, who is at the end of the economic chain, will thus be exposed to all the chain effects. In light of the interdependence of economies and globalisation of the markets, the consumer will be affected by all the problems that could affect the supply chain; he will be exposed to all the effects transmitted beyond the border. The multiplication of computer problems, especially their unforeseeability, characterise the year

2000 bug problems. A disruption factor in the enterprises' activities, the year 2000 bug problems is particularly worrying to the extent it can cause personal injuries and interruptions in essential

services. When human life is at stake, the number of disasters rapidly become catastrophic.

25

EUROPEAN COMMISSION

(26)

Y2 K Bug and the Consumer 14/08/99

26

EUROPEAN COMMISSION

(27)

The consumer cannot have an active role in the internal organisation of the enterprise, but he can

take the necessary measures as to his own protection and adapt his position to the potential risks.

14/08/99

27

EUROPEAN COMMISSION

(28)

The

consumer

and

the

bug

ridden

product

The consumer, user of

a

bug ridden product

The consumer is vulnerable to the year 2000 transition as buyer of products that may be bug ridden because he has become a computer user and because he is buying many products with microchips.

The powerlessness of the consumer to press on the companies' choice of internal adaptations to the year 2000 gives a certain specific character to its vulnerability . It is what the Consumers Committee revealed in its opinion dated 24 September 1998 on the Year 2000 related problems. The Committee recommends a more complete information possible of the consumers on the state of the enterprises preparation. The Committee's finding of vulnerability and the deliberations of the European Union authorities (i.e. Conclusions of the Cardiff and Vienna summits, the Commission's report of 2nd June 1999on the preparation of the infrastructures for the year 2000) have led to the decision to carry out this study.

The computer user consumer

The consumer has become a computer user with the appearance of personal computers, (Apple and PCs as they are called ), in the 1980s.

Because of the decrease in the price of hardware, the consumer has become more and more a frequent user of computer systems. It is what we generally call personal computer. Following the increasing sophistication of the technical products, the microprocessors, the price of which has decreased very significantly, has swept through a range of products purchased by the public, from cars to video cameras, washing machines and games.

The consumer, who is the user of computer products, systems and services or products containing microprocessors, is likely to be a direct victim of the bug. Even the consumer who does not use a computer system can be the direct victim of a technical system containing a microprocessor.

The problem is the product supplier's liability to the consumer. This liability is that of the seller and the manufacturer.

The legal status of the consumer is similar to that of an enterprise, subject to his status from viewpoint of the consumer protection, and also because the computer will be a standard system and not a system manufactured to the specific needs of a professional.

From viewpoint of certain laws, the consumer will be in the same situation, as the professional who purchases the computer that is not directly connected to his activity6

6

On the extension of the notion of consumer see for example in Netherlands : decision of the Commercial Court of Hilversum of 25 January 1995, Praktijkgids 1995, Revue Europeenne de Droit de la consommation no. 4247, REDC 1996-70.

The definition of consumer in the directive proposal on the sale and guarantee of consumer goods (see Mario Tenreiro, The directive proposal on sale and guarantees of consumer goods, REDC 1996-187) extends to any individual who buys a good for final use, even if the purchase is carried out for a purpose which is not part of his professional activity. In fact, any individual 11

Who, in the contract of sale falling within the present directive, acts for the purpose which does not fall directly within his professional activity11

is considered as consumer. It is important to point out that this extension of the notion of consumer has not been retained in Directive n°99/44 adopted by the Council.

28

EUROPEAN COMMISSION

(29)

The consumer must rely on the technique skills of his hardware or software supplier, or on his service provider. However, he can at least play a partially active role.

On computer or technological product, the consumer can be an informed user, if he is computer addict, in the sense less a layman than a non-computer scientist professionaC. He will join the professional purchasing a computer system not directly linked to his activity, whom the French case law treats as a consumer8•

However, with the development of the computer for the public at large, one can consider that in most cases the consumer will be a layman, which does not exempt him from possibilities of action and therefore possibly from the obligation to ensure the adaptation.

The definition of consumer as a non-professional user of a product or a service is particularly tricky in this context. If we can differentiate the use of computers at home, this overlaps more and more the personal and professional use.

The consumer and the failing of

a

bug ridden product

The malfunctioning due to the bug affects directly the computer product or technologic equipment used by the consumer.

The consumer as user finds himself in the same situatiOtl as an enterprise, given that if in. a computer pro(luct he can be

"warnedtl,

as

it is stillmore evident that f!enerallv he will a lavman.

The consumer who is the victim of the bug can either suffer an inconvenience, or suffer damages to his financial and material interests, or suffer personal injury.

For certain products, such as computer products, the bug risk is evident. For other products, as regards the consumer in any case, the problem of information is different.

Computer products: home computer

The computer has spread into the consumer's homes and computers have become consumer products. This phenomenon is particularly due to the decrease of the price of computers that are now sold more and more in supermarkets.

The computer can be used for play or leisure activity (game, multimedia) or for management of home interests (word processor, files, personal management software, stock market management software), or for educational uses. Rightly or wrongly, the contract will be qualified as "computer contract". This will be purchase agreements, license agreements, computer service agreements, and development software package agreements.

As regards the hardware, it will be mainly personal computers, PC or MAC (which do not have hardware problem, but whose application software have similar risks). The use of servers by the consumers will be rare unless we categorise professionals (especially SMEs), who do not have the computer as their main activity, as consumer.

7

The consumer law categorises the end user as layman. The special competence of the consumer will not however deprive him of the protection of the consumer law

8

See for example in France, Cass.Civ.l st December 1998

29

(30)

The impact of a crash on the consumer will not generally be dramatic (for example non-functioning of a video-recorder recording on 29th February 2000) and, as many have underlined, consumers have been accustomed to software editors supplying bug ridden products. This is does not mean that the damage will not be significant. The vulnerability of the consumer who has made a sizeable

purchase for educational purpose is similar

to the vulnerability that exists regarding children's encyclopaedias. Moreover, as regards, for example the financial management software or stock portfolio management software, the impact of a processing error or of a defective transmission can cause a considerable damage to the consumer's property interests.

The consumer can be a purchaser of new products, but he can also be a user of products already purchased.

In any case, it is appropriate that he preliminary issue which arises is

"ageing" tests, and in any event he

confirmation of dispatch and

(the consumer) does not remain passive. The one of duty of care: the consumer can carry out can take safety measures such as "back up", receipt, control of emissions and receptions etc. Its is the duty to co-operate in computer contracts.

14/08/99

30

EUROPEAN COMMISSION

(31)

9

See for example under Irish law article 14(3) of the Sale of Goods and Supply of Services Act 1980 "goods are of merchantability quality if ... as durable as it is reasonable to expect having regard to any description applied to them, the price (if relevant) and all the other relevant circumstances». Also in Art. 14 of the Sales and supply of Goods Act of

1994 «the quality of the goods includes ... durability ».

Article 5(2) of the Greek Consumer Protection law defines the period "during which it is reasonable to expect that the

product could be used for the purposes which it is intended. even if for that it must be repaired or if certain parts must

be replaced, until wear and tear of the product makes the product unuseable or economically without interest".

The durability is often imposed by environmental laws. In Denmark, article 5 of the Law on Environment Protection

(1991) requires suppliers to design products with the longest life span possible.

14/08/99

31

EUROPEAN COMMISSION

(32)

COMMERCIAL GUARANTEE

Commitments undertaken by manufacturers and sellers must, under Member States legislation, be additional guarantees in so far as it cannot be derogated from the legal guarantee. This principle is retained in Article 6 of the Directive n° 99/44/EC passed on 25th of May 1999 on the sale and guarantees of consumer goods, which will be applicable within all Member States at the latest on 1st January 2000. Moreover, guarantees that do not add anything to the rights already held by the consumers, or a fortiori which seeks to reduce those rights, would constitute a misleading advertising.

The year 2000 compliant labels must be examined in light of these principles.

Ente~

t

i~es volun

~

rily

use year

( ~el~::~~ft1ficationsi1afei not w I1:ho-utJ'lronierns ,tt<nhth<:~:vle,

" '

'!;H:!IIil!!i~

...

'

'i!i'lf!il!ii'! ' . '~

l l

'!'/!!:,·

~f~~

~%~

;~b~~;e~c~:~n~e

i:lfif~

i

~i.il~~

results;;!!from the· ·additional

functio1lality are~~~en·unimportanlf6~·:~rr~~~~t~om;unier

In vie)¥[qfthe

lif

~ii~

pflns

taken i r.

tto

· ac~

~~

u!}t

;

;:

on which' the yeat;:2ooo cornplianc~e~i.s :~ltsillred.'

compli

~ij~

~

span of'a importanc~

when~,~,~~

increased

Produp~s,{o""

sale:

.~press

or u·

np,tJf/4'l:

P,f!t(.,fll~(ltlron

i''

.

··!iiil[ll!llliill,i

·:'

,,iii

Prod~

b~~·;

i~r

sale.

can

be consiaer·eo·

~S.

j[

pe

:

Lng

.• patible

;~tt~

;

1

£f

ansition

to

th

ci

'

year 2000, in any case from the

pl\(Qt,(l~Hclat~~lDidlc:a

' '"" '

>

·

11 i!~~1::

)

A majqritY

h

>f

.

manufacttm:~rs I.~~~~~

~

:~~~~~?:,;t1~e

··· :

~ap~

~1f,

yr.,oftta.tlsition·:toli.·

·wl ,year 2000.

T¥~~'

c

self) certification of year 2ooo

th

~ pt~

~lem

•

o

f'

tlie

:

mea~ii

l:

Jll

~

f

the year 2oog:

label ..

As

;it has been pointed out) '' ·for. ·'is not ab~Q}ute, and it is the same

for

li

many

sofi\vares

.

No . . . ;adopte(U~nd there are only

natiori~ll!~~hemes~ W~i¢h

!IIF.

1

v<,·:rn;;·r·_,

'

Norms have

also

"

Be

· en

developed . Irrthis; tho·',"'""'•+fHITrii'¥,~w has defined the year 2000 compliaric~ ~yaluation criteria.

14/08/99

32

EUROPEAN COMMISSION

:'·::·-::-::·-::· ···:<

Y2K bug and the consumer. Final report

REPORT PREPARED BY

BERLIOZ&C

FOR THE

EUROPEAN COMMISSION

INCLUDES OPINION OF CONSUMER COMMITTEE

Georges

SEE TAB

Michel

European Commission Delegation

?cu:n ;\,,

:~0::~i·H~g"t~~=,·""dc

zoo37

g~~2000~~<Uu1tfw.~4~~~antfw.~.

dw.

<Uu1

ena

4

contmt

~~tie~~~4~~aru)~~-

g¥w,

gfu,

4

tie

du.!,

gk

d

4

<Uu1

wJf

m

w.Ui

~to~~~~~.1t~~~tfud

mk

onft_t

tut

k

mk

t¥w.

g¥u,.

~4~~tie~~.tie~oJ"~"m~

U:

duJ: U:

4

tfuJ:

tfw,_

tfw,_

3nJua, tfw,_

wJf

wJf

+x

tu.t

kin

aJ

4

cluun,

k

gfw_

aJ

aJ

oJ

wJf~k~~·

gLfwa~~~~twt~

~m<JM-fwa~·

~k~aJ~~~.

~

con!wf.t.

3n tfw,

a£w

¥·

Wi!i~ta~~.~~~~tfw.~.

~~

Memk

_F.t:L,

aJ

wJf k

4

tfw,_

k

wJf k

g2000<Uu1tfw.~4~~~antfw.~.

tie~4aru)-

~to~~~.1t~tfud

~4tie.tie~oJ"~"m~

Wi!i~ta.~~tfw.~.

_{\~, .}£~}